Static Analysis

Subscribe to Static Analysis: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Static Analysis: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories

“Developers need to realize that Automated Defect Prevention benefits them," says Parasoft co-founder & CEO Dr Adam Kolawa in this Exclusive Q&A with SYS-CON Media's Java Developer's Journal. "But they won’t start recognizing this until they see that they have less work," Kolawa continues. The key to success, he adds, is to have an infrastructure handle as much work as possible. "This way, developers have time to focus on the creative tasks they enjoy most...the ones that truly require human intelligence." View Dr Kolawa on SYS-CON.TV Read Dr Kolawa's Articles “Developers need to realize that [ADP] benefits them. But they won’t start recognizing this until they see that they have less work.” -- Dr Adam Kolawa, Co-Founder & CEO of Parasoft Dr Adam Kolawa is the coauthor of the recently published Automated Defect Prevention: Best Practices in Software Management (Wiley... (more)

Java Application Security in the Corporate World

The vast majority of corporate developers truly believe that application security is not their concern, assuming that network and engineering groups will build their environment in a secure way. But what about application security? Are you ready for the code audit? Application Security Isn't Getting the Attention It Deserves When most people in the corporate world talk about "security," they mean the security of the network, operating system, and servers. Organizations that want to protect their systems against hacker attacks invest a lot of time, effort, and money ensuring that these three components are secure. Without this secure foundation, systems cannot operate securely. However, even if the network, server, and operating system are 100% secure, vulnerabilities in the application itself make a system just as prone to dangerous attacks as unprotected networks, op... (more)

Automated Error Prevention for Linux

Most organizations that use Linux as a business operating system are developing their own applications for Linux - perhaps in response to the current scarcity of packaged applications available on Linux. With so much internal development for Linux, it is critical that the IT groups building your Linux-based applications have a means to efficiently produce reliable code. If they don't, you will jeopardize the very reliability and cost-effectiveness that most organizations are trying to achieve by turning to Linux. However, most development teams follow a development process that is far from efficient, and the applications they provide typically experience functionality problems and security weaknesses that require patches, updates, and redeployments. In fact, most IT organizations waste a great deal of their time, effort, and resources fixing what is essentially the... (more)

JDJ Product Review — Parasoft Jtest 8.0

In terms of unit testing and code compliance, Jtest is a real heavyweight in the arena. For those who haven't come across Jtest before, it's an application that will analyze your Java application code for you. At present Jtest has 700 built-in rules and 100 security rules and it will autocorrect 250 of those rules for you. It provides Parasoft SOAtest hooks for testing of SOA/Web services and Web apps. The reporting engine is also built-in so once tests are run, you can view and print results via a Web browser. There are some new features such as improved J2EE testing and the Bug Detective, which I will cover later in this review. The front end is built on the Eclipse framework so it will be familiar to some of you. Test projects are created the same way you would create a project in Eclipse. The wizards are easy to use and I got up and running in a short time. You... (more)

JavaOne 2008: Uncommon Java Bugs

Any large Java source base can have insidious and subtle bugs. Every experienced Java programmer knows that finding and fixing these bugs can be difficult and costly. Fortunately, there are a large number of free open source Java tools available that can be used to find and fix defects early in the development life cycle. In this article, we’ll look at a few examples of specific uncommon[1] or unusual defects that can happen in code and see how different Java static analysis tools detect them. Testing As software gets more complex and ubiquitous, it becomes more difficult to ensure high-quality code. One common method of finding bugs is testing. But testing can’t cover all paths and possibilities or enforce good programming practices. Expert knowledge in the form of manual code review by peers is one of the best ways to ensure good code quality. Code revie... (more)

The Paradox of Writing Perfect Code

Don't you love looking at a good piece of code? I'm talking about the kind of code where the design is so sound that the code practically wrote itself, where there were no nasty surprises at implementation, where it was 100% feature complete and bug-free, and you didn't have to patch it up a bunch of times. Maybe I'm squarely in the land of Santa Claus and the Easter Bunny, but I believe, deep down, all developers want to write that perfect piece of code. Unfortunately, real life has other ideas. Deadlines, unclear or conflicting requirements, ridiculous scope, being human - all these things keep us from the promised land of perfect code. But here's the rub: though it may be satisfying to dream about, it's likely that you'll never produce truly perfect code for real-world applications. You'll sit down to write a piece of code, you'll do the best you can, taking int... (more)

Bulletproof .NET Code

.NET languages are becoming increasingly popular for driving the application logic for business-critical SOA and Web applications. In these contexts, functional errors are simply not acceptable, and reliability, security, and performance problems can have serious repercussions. Yet, few development teams have the resources to ensure that their code is free of implementation errors, let alone also worry about reliability, security, and performance. Whether or not your team has a satisfactory strategy for functional testing, you're taking several significant risks if you haven't yet implemented a comprehensive team-wide quality-management strategy: New code might cause the application to become unstable, produce unexpected results, or even crash when the application is used in a way that you didn't anticipate (and didn't test for). New code might open the only door tha... (more)

Product Review: Parasoft WebKing

Quality-conscious developers are familiar with the idea of coding checklists. The code you write must measure up to all the criteria on the checklist, from "no grammatical errors in the comments" to "performs all required functions." Based on these checklists, we have code reviews. A good code review takes time, but is certainly worth the effort. Such reviews can prevent many costly errors. However, when crunch time hits, thorough code reviews are often impossible. That's where a tool like Parasoft's WebKing can help. For several decades tools to automatically generate and run tests have been available. As I wrote in Program Smarter, Not Harder, automated testing tools can provide the most bang for the buck in software development process improvement. After years of fighting software wars, developers have figured out that catching errors using static analysis relativ... (more)

Flow Analysis: Static Analysis on Steroids

There are three main types of software bugs: • Poorly implemented requirements - The software doesn't operate as expected because the functionality defined in the requirements was implemented incorrectly. • Missing or incomplete requirements - The software doesn't perform necessary operations or handle feasible scenarios because the stakeholders/designers didn't anticipate the need for such functionality and didn't specify requirements for it, or because the developers failed to implement a specified requirement. • Confused user - The software was designed in a way that lets confused users take unexpected paths. Building a robust regression suite is the best way to identify poorly implemented requirements, and performing negative testing is the best way to identify confused user errors. However, finding missing requirements is difficult because it's no... (more)

How Good Is Good Enough?

Intellectually everyone understands that improving code quality is a good thing. After all, we know bad quality when we see it. (Anyone old enough can cast his or her mind back to the late '80s and Microsoft Word for Windows 1.0.) But we also know that there comes a point where there's a diminishing return on our investment in code quality. How much work would you put into tracking down a bug that's only ever been reported once by a user running on OS/2 Warp? The problem with code quality initiatives is that we really don't know how much effort to put into them. We have never truly answered the question: how much quality is enough? Why Code Quality Is Important The Standish Group famously reports on the software industry's inability to deliver successful projects on a regular basis. In 2004, it reported that just 29% of software projects were considered a "success."... (more)

Jtest 5.0 from Parasoft

Most developers would agree that software development is not as daunting a task as is efficient software development. We have seen teams that can design and develop software - and with automated development tools, IDEs as they are called, the software development process has become a lot easier. But while an architect can always come up with a design and a development team can write the code for a given design, there aren't many developers who can write the best possible code for a given design - especially in the case of distributed application development, in which multiple teams are working on modules of a given application. How can you ensure that what comes out of these multiple teams is coherent and that it will work? This is where the need for software testing tools comes in. Testing tools not only help you detect errors in code, they can help you implement ... (more)